General File Information

The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting.
The server must be misconfigured or compromised and is being actively
used as a relay for phishing.

House appropriators have recommended lopping $1.7 billion off the Navy's
2012 procurement request of $45 billion, according to budget documents obtained by Navy Times.

The mark-up, prepared by the House Appropriations Committee Subcommittee on Defense, would fund the Navy with $43.5 billion for procurement in fiscal 2012, a 3.7 percent drop from the Navy Department's request. These figures include the Marine Corps. The panel's proposed cuts to the Navy request were larger than those for the Army and Air Force combined.

While cuts were proposed across the board, the appropriator's red pen fell heavily on buying new airplanes, missiles and drones, and frequently cited growth in costs as the rationale for the cuts. The proposal will head to the full committee for a vote, one of a number of steps before passage.

The deepest cuts proposed were for naval aviation procurement. The panel recommended aviation procurement fall by $782 million, for a total of $17.8 billion. The Navy had requested $191 million for the Fire Scout drone program. That figure was more than halved by the subcommittee, who noted in the mark-up that the Navy's inventory of these unmanned helicopters was already "excess to requirement." The Navy had planned to procure 12 Fire Scouts in 2012. The committee recommended only $76 million for the program in 2012.

The carrier-based joint strike fighter saw a proposed drop of $55 million due to an engineering change carryover and growth in logistics support and ground support equipment.

Created files

This trojan is characterized by the traffic
it generates -

http://99.1.23.71/qfgkt.php?id=030696111D308D0E8Dhttp://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy whereaaaaa is a host or domainbbbbb is a 5 char stringxxxxxx is a 6 char changing stringyyyyyyyyyyyy - 12 char more or less constant string

Local Settings\Netlogon.exe

File: Netlogon.exeSize: 91136MD5: FD184057AB056595B3857CB5BF193094

The name of the dropped file can be different, for example
Local Settings\cisvc.exe
Size: 91136
MD5: FD184057AB056595B3857CB5BF193094

Local Settings\Temp\8630950 - network recon file (created and deleted) - random digit name. If it was

deleted, it probably means it was deleted after transferring the data to the attackers.Local Settings\Temp\~dfds3.reg - registry file to add to Run to ensure persistence in the system

Language code of
the file is displayed as English - United States en-us 1033 but the
language ID is actually Chinese Simplified (The language ID is a
word integer value made up of a primary language and its
sublanguage which is defined by Windows. If the resource item is
“language
neutral” then this value is zero.)

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.